Manual removal

Next, open the registry (click ‘Start’, choose ‘Run’ and enter ‘regedit’), and find the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Delete the ‘ZyncosMark’ entry on the right.

Restart the computer and you should be able to delete the entire ‘zyncosspace’ folder inside ‘Program Files’ on the C: drive (even if that’s not where your normal Program Files folder is). You should also delete the entry ‘ACCESS.AccessCtrl.1’ in ‘Downloaded Program Files’ inside the Windows folder.

Description

An Internet Explorer toolbar with a pop-up advert-blocking feature, which also hijacks homepage and search settings to znext.com every time IE is started.

Also known as

ZeroPopUpBar, to distinguish it from the earlier standalone commercial popup-killer of the same name, by the same author. Note there is no connection to the similarly-named “ZeroPopup” by “Tooto Technologies”.

Distribution

‘Viral marketing’: some versions, when installed, send an endorsement purporting to be from you to everyone in your e-mail address book.

Also installed by ActiveX drive-by-download on the search bar pointed to by some variants of the parasite (also by the same author).

What it does

Advertising

No.

Privacy violation

No.

Security issues

No.

Stability problems

None known.

Removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the commands:

cd "%WinDir%\System"
regsvr32 /u zeropopupbar.dll

After restarting the computer, you should be able to open the System folder (inside the Windows folder, called ‘System32’ on Windows NT/2000/XP or ‘System’ on Windows 95/98/Me), and delete the zeropopupbar.dll file.

Finally, set your home page back to what it was before (from Internet Options->General->Start page) and restore your search settings (by clicking Internet Options->Programs->Reset Web Settings).

Links

McAfee’s info on ZeroPopup and the ‘Tellafriend’ variant.

The official site is www.zeropopup.com. (This isn’t a link because this page causes a download to occur straight away – take care.)

Description

HuntBar is a search-hijacker from Traffic Syndicate (controlling server dst.trafficsyndicate.com), with various additional features depending on version.

Variants

HuntBar/TS is the original version, also providing an IE toolbar with search features.

HuntBar/Side is an addition to HuntBar/TS which also pops open a search sidebar pointed at its own results when it detects you using search engines.

HuntBar/MSLink is a development of HuntBar/Side dropping the toolbar from HuntBar/TS and adding the ability to redirect you instantly when browing targeting web pages. This is typically used to hijack affiliate fees from merchant sites.

HuntBar/BTLink is an updated version of MSLink.

HuntBar/MSIn and HuntBar/BTIn are installer controls for both the MSLink and BTLink variants.

HuntBar/SToolbar also tries to hijack your homepage to WebSearch.com, and copies searches you make in known search engines to the search field in the toolbar as you type.

HuntBar/QDow is a small downloader ActiveX control used to load HuntBar/BTIn.

Distribution

Through ActiveX drive-by-download at affiliate sites, including pop-up advertising served by trafficsyndicate.com.

TrafficSyndicate, the makers of HuntBar, offer ‘co-branded’ versions of HuntBar which may be installed by other sites under a different name. Known partner sites include bullseyesgames.com and side-search.com.

What it does

Advertising

No.

Privacy violation

HuntBar/TS sends the domain name of the site being viewed, the domain name of any site previously being viewed and the title and any keywords in the current page to its controlling servers whenever a new site is viewed. It does this even if the toolbar is not turned on.

HuntBar/Side, MSLink, BTLink and SToolbar send URLs and search terms used to its controlling servers with a unique ID allowing your search engine usage to be tracked.

Security issues

Yes. HuntBar/TS, MSIn and BTIn can silently download and execute arbitrary code, as an update feature.

Stability problems

HuntBar/BTLink and SToolbar seems to cause IE to crash often on some setups with an ‘Exception E Access Violation’.

Removal

TrafficSyndicate offer two uninstaller files for HuntBar/TS, which have been reported not to work properly.

HuntBar/Side may put an entry called ‘MSIETS’ in the Control Panel’s Add/Remove Programs option, which should remove this variant.

HuntBar/MSLink and HuntBar/BTLink have two entries in the Control Panel’s Add/Remove Programs option, called ‘Internet 404’ and ‘Tools for Internet Explorer’. Both entries (which also demand an internet connection to work) must be removed to get rid of these variants, but it will leave the files intact and still won’t remove the MSIn or BTIn installer, which can reinstall the software automatically in the future.

HuntBar/SToolbar puts an entry called ‘Search Toolbar’ in Add/Remove Programs, which should work (though it requires an internet connection).

Ad-Aware reffile and Spybot S&D can remove HuntBar variants other than BTLink, BTIn and SToolbar.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories), and enter the following commands (for HuntBar/TS):

(Users of non-English verions of Windows will need to change ‘Program Files’ and ‘Common Files’ in the above commands to the name of the these folders in the language Windows was installed in.)

Having done this you can restart the machine and delete the folder ‘Common Files\MSIETS’ (TS, Side, MSLink variants), ‘Common Files\BTLINK’ (BTLink variant) or ‘Search Toolber’ (SToolbar variant) from the Program Files folder.

Inside the System folder (which is inside the Windows folder, called ‘System’ under Windows 95/98/Me or ‘System32’ under Windows NT/2000/XP), you can delete the file ‘msiein.dll’ (MSIn variant) or ‘btiein.dll’ (BTIn variant).

To clean up, you can also open ‘Downloaded Program Files’ in the Windows folder and delete the entry ‘{8A05273A-2EA5-42DE-AA75-59EA7D9D50D7}’, ‘{59450DB0-341D-4436-B380-B8377D8B6796}’, ‘{D6E66235-7AA6-44ED-A06C-6F2033B1D993}’ or ‘{26E8361F-BCE7-4F75-A347-98C88B418322}’.

You can also open the registry (Start->Run->regedit), find the key HKEY_CURRENT_USER and delete the subkey ‘MSIETS’ (TS, Side variants), ‘MSIEIN’ (MSIn variant), ‘BTIEIN’ (BTIn variant), ‘BTLINK’ (BTLink variant) or ‘Search Toolbar’ (SToolbar variant).

After removing the software you may want to delete the shortcuts the HuntBar/Side and TS variants add to the desktop, start menu and favourites menu, and reset your search and home pages back to normal (Tools->Internet Options->Programs->Reset Web Settings).

Description

Httper is a pop-up opener and error-page hijacker implemented as an Internet Explorer Browser Helper Object. When enabled by its controlling server config.url404.com, Httper will redirect any web server error page to a sponsor’s site.

Distribution

Installed by the InternetWasher parasite, along with Zipclix. Both programs are controlled by popupblockade.com.

What it does

Advertising

Yes. At the time of writing this feature is not in use, but the software can be directed by its controlling server to show periodic advertisements.

Privacy violation

No.

Security issues

Yes.

Can be directed by its controlling server to download and execute arbitrary code as a self-updating feature.

Stability problems

No.

Removal

There should be an ‘Httper’ entry in the Control Panel’s Add/Remove Programs feature. This works correctly.

Manual removal

Open a DOS command prompt window (from Start->Programs->Accessories) and enter the following commands:

cd "%WinDir%\System"
regsvr32 /u "\Program Files\Httper\httper.dll"

After restarting the computer you should be able to delete the Httper folder inside Program Files.

You can also delete the key HKEY_CURRENT_USER\Software\Httper in the registry (Start->Run->regedit) to clean up if you like.

Description

Xupiter consists of an Internet Explorer toolbar containing link buttons to one of Xupiter’s search engines and a task run at Windows startup which downloads updates to the software and may launch pop-ups. It also contains functionality to hijack your home page and address bar searches, and add Xupiter links to your bookmarks.

Variants

Xupiter/Xupiter uses the site xupiter.com for all functions; Xupiter/Xjupiter is the same but uses xjupiter.com instead. Xupiter/2003 is the same as the Xupiter variant, but puts its DLL directly in its Program Files folder instead of in an ‘Updates’ folder.

Xupiter/BrowserWise points to browserwise.com but is still otherwise identical to Xupiter. Xupiter/Browser is a newer variant which still points to browserwise.com, but stores its program files in a folder called ‘Browser’ instead of ‘Xupiter’.

Xupiter/Sqwire is a newer variant pointing at sqwire.com. Its program files are stored in a ‘Sqwire’ folder, in a different layout to previous versions, and an installer DLL is left in Downloaded Program Files.

Xupiter/OrbitExplorer is the latest variant, pointing at orbitexplorer.com. Some of its program files are stored in an ‘Orbit’ folder in Program Files, the rest in an ‘OE’ folder in Common Files. It also has the installer DLL.

Also known as

XupiterToolbar (program name).

Distribution

Installed by ActiveX drive-by-download in affiliate pages. Known sources include the site www.freewebupgrades.com (which is advertised by junk e-mail) and pop-up adverts on sites such as FortuneCity and cjb.net subdomains.

More recently also bundled with Grokster.

One of Xupiter/Sqwire’s ActiveX drive-by-download pages has been advertised by junk e-mail (spam) offering a ‘Free Christian Toolbar’. Another pretends to be a program to disable Windows Messenger service pop-ups.

What it does

Advertising

Yes. Apart from the hijacking and added links, the software periodically opens pop-under advertisements as directed by its controlling servers. (These may appear in windows with only an ‘exit’ menu.)

Privacy violation

The privacy policy states that the software may track all web usage. However this behaviour has not been observed.

Security issues

Yes. The software contacts its servers to ask for update code, which is executed without checks. It has also been known to download third-party software (for instance a casino loader app).

Stability problems

In the initial variants, the update-checking task tries to connect to xupiter.com to download updates whether or not you are connected. If it fails it may cause a crash in ‘RunDownload.exe’. Some versions of Xupiter can cause the Windows Explorer to crash when opened under Windows XP.

Removal

The OrbitExplorer variant may have an uninstall available. Go to Add/Remove Programs in the Control Panel, choose ‘Orbit’ and click ‘Remove’.

Other variants have no built-in uninstall. An uninstaller is available through ActiveX drive-by-download from Xupiter sites; reports suggest this works for some but not all variants, and may leave a message on bootup that Xupiter must be reinstalled.

The latest updates of Spybot S&D and Ad-Aware can remove all Xupiter variants.

Manual removal

Open the registry (from the Start menu, click Run and enter regedit) and find the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

(On non-English versions of Windows, ‘Program Files’ and ‘Common Files’ may be called something different. In that case you will have to change these commands to match the name of these folders.)

Restart the computer and open the Program Files folder. Delete the ‘Xupiter’, ‘Browser’, ‘Sqwire’ or ‘Orbit’ folders, and in the OrbitExplorer variant also the ‘OE’ folder inside Common Files. For the Sqwire and OrbitExplorer variants, you should also open ‘Downloaded Program Files’ in the Windows folder and remove the ‘Loader class’ entry if it is there.

You can now restore your home page (Internet Options->General->Home page) and your search settings (Internet Options->Programs->Reset web settings). You can also delete the settings to clean up if you like: open the registry and delete the key HKEY_CURRENT_USER\Software\Xupiter, HKEY_CURRENT_USER\Software\SQ (Sqwire variant) or HKEY_CURRENT_USER\CLSID\{0FDA4D2B-7975-405d-8D7C-F5E2247EAE80} (OrbitExplorer variant).

Description

Marketed as a program to add graphical skins to IE toolbars, it also adds its own toolbar with context-sensitive link/search buttons.

Distribution

Bundled with older releases of iMesh and other free software; more recently, advertised through junk e-mail purporting to be a Microsoft upgrade to Outlook.

What it does

Advertising

Yes. HotBar’s toolbar grows buttons on the left-hand side leading to advertisers’ and/or paid search sites dependent on the site you are currently viewing.

Privacy violation

Yes. HotBar sends the address of every web site you visit to its controlling servers along with a unique ID that would enable your web usage habits to be tracked. Some sites are monitored more closely, with full URLs and/or data entered into forms being sent to HotBar.

Security issues

Yes.

Hotbar can silently download and execute arbitrary code from its controlling server, as an update feature.

Stability problems

None known.

Removal

Should be removable from ‘Add/Remove Programs’ on the Control Panel, under the name ‘HotBar’ or ‘Web Tools by Hotbar’.

Version 3 of the software leave some mess behind in the registry, which you can clean up by running regedit if you want. Keys you can delete: